hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1262) Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
Date Sat, 17 Nov 2012 16:44:13 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13499457#comment-13499457
] 

Oleg Kalnichevski edited comment on HTTPCLIENT-1262 at 11/17/12 4:43 PM:
-------------------------------------------------------------------------

What does this all tell you?

The certificate presented by the target site is clearly not trusted, as it is not present
on the list of trusted CAs. If developers of curl or Ning http client think it is a good idea
to trust certificates like that by default it is their problem

---
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
  public exponent: 65537
  Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
               To: Tue Oct 15 22:46:23 CEST 2013]
  Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
  SerialNumber: [    59ce]
---

Having said that one can easily configure HttpClient to accept such certificates if really
necessary.

Oleg

---
SSLSocketFactory sslsf = new SSLSocketFactory(
        new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/");
HttpResponse response = httpclient.execute(httpget);
try {
    System.out.println("----------------------------------------");
    System.out.println(response.getStatusLine());
} finally {
    EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route {s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0; expires=Sat, 24-Nov-2012
16:40:48 GMT; path=/; domain=www.popcornopolis.com; HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain:
www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]". 
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000 MILLISECONDS
---
                
      was (Author: olegk):
    What does this all tell you?

The certificate presented by the target site is clearly not trusted, as it is not present
on the list of trusted CAs. If developers of curl or Ning http client trunk it is a good idea
to trust certificates like that by default it is their problem

---
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 130239717645625039446867810265815675924598680366480291538572828355817948069212793748514833469893116011718880147177173794012266279892499833991844993361925891994365964380211747649162835760408844922777394424037787481478926521393063444048231969253187639595947459432351132031539503977746849948171699101810298296153
  public exponent: 65537
  Validity: [From: Mon Oct 15 22:46:23 CEST 2012,
               To: Tue Oct 15 22:46:23 CEST 2013]
  Issuer: EMAILADDRESS=root@web01, CN=web01, OU=SomeOrganizationalUnit, O=SomeOrganization,
L=SomeCity, ST=SomeState, C=--
  SerialNumber: [    59ce]
---

Having said that one can easily configure HttpClient to accept such certificates if really
necessary.

Oleg

---
SSLSocketFactory sslsf = new SSLSocketFactory(
        new TrustSelfSignedStrategy(), new AllowAllHostnameVerifier());
Scheme https = new Scheme("https", 443, sslsf);
DefaultHttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(https);
HttpGet httpget = new HttpGet("https://www.popcornopolis.com/");
HttpResponse response = httpclient.execute(httpget);
try {
    System.out.println("----------------------------------------");
    System.out.println(response.getStatusLine());
} finally {
    EntityUtils.consume(response.getEntity());
}
---
[DEBUG] BasicClientConnectionManager - Get connection for route {s}->https://www.popcornopolis.com
[DEBUG] DefaultClientConnectionOperator - Connecting to www.popcornopolis.com:443
[DEBUG] RequestAddCookies - CookieSpec selected: best-match
[DEBUG] RequestAuthCache - Auth cache not set in the context
[DEBUG] RequestTargetAuthentication - Target auth state: UNCHALLENGED
[DEBUG] RequestProxyAuthentication - Proxy auth state: UNCHALLENGED
[DEBUG] DefaultHttpClient - Attempt 1 to execute request
[DEBUG] DefaultClientConnection - Sending request: GET / HTTP/1.1
[DEBUG] headers - >> GET / HTTP/1.1
[DEBUG] headers - >> Host: www.popcornopolis.com
[DEBUG] headers - >> Connection: Keep-Alive
[DEBUG] headers - >> User-Agent: Apache-HttpClient/4.2.2 (java 1.5)
[DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 200 OK
[DEBUG] headers - << HTTP/1.1 200 OK
[DEBUG] headers - << Date: Sat, 17 Nov 2012 16:40:46 GMT
[DEBUG] headers - << Server: Apache
[DEBUG] headers - << X-Powered-By: PHP/5.3.14 ZendServer/5.0
[DEBUG] headers - << Set-Cookie: frontend=6u7ajad46vmf1531gb2d6m3lg0; expires=Sat, 24-Nov-2012
16:40:48 GMT; path=/; domain=www.popcornopolis.com; HttpOnly
[DEBUG] headers - << Expires: Thu, 19 Nov 1981 08:52:00 GMT
[DEBUG] headers - << Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
[DEBUG] headers - << Pragma: no-cache
[DEBUG] headers - << Vary: Accept-Encoding,User-Agent
[DEBUG] headers - << Keep-Alive: timeout=15, max=100
[DEBUG] headers - << Connection: Keep-Alive
[DEBUG] headers - << Transfer-Encoding: chunked
[DEBUG] headers - << Content-Type: text/html; charset=UTF-8
[DEBUG] ResponseProcessCookies - Cookie accepted: "[version: 0][name: frontend][value: 6u7ajad46vmf1531gb2d6m3lg0][domain:
www.popcornopolis.com][path: /][expiry: Sat Nov 24 17:40:48 CET 2012]". 
[DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 MILLISECONDS
----------------------------------------
HTTP/1.1 200 OK
[DEBUG] BasicClientConnectionManager - Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@4104c575
[DEBUG] BasicClientConnectionManager - Connection can be kept alive for 15000 MILLISECONDS
---
                  
> Weird SSL issue (peer not authenticated) [www.popcornopolis.com]
> ----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1262
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1262
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth, HttpClient
>    Affects Versions: 4.2.2
>         Environment: JDK 1.6, Mac OS X 10.{6,8}, Ubuntu
>            Reporter: C├ędric Chantepie
>            Priority: Trivial
>              Labels: pki, ssl
>
> Try to request some HTTPS websites, we get 'PKIX path building failed' error.
> Seems it's about intermediate/chain certificate.
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
> at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at org.jirafe.shaded.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
> at org.jirafe.shaded.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
> at org.jirafe.shaded.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
> at org.jirafe.shaded.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:397)
> at org.jirafe.shaded.httpclient.HttpClient.executeMethod(HttpClient.java:323)
> at Test.main(Test.java:22)
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
> at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
> ... 17 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
> ... 23 more

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message